PHP Warning: curl_setopt() CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set

[AITpro Admin]

Email Question:

Edit: User stated that the PHP Warning: curl_setopt error occurred during the Setup Wizard installation, but the Setup Wizard did complete successfully.

I sent email to my hosting company and I am waiting for the response. I have some errors in logs:
and need also to change default admin login in WP. Can I do that via database, because WP it not allow to do that. What is you sugestion? Do i need to white-list all plugins which I am using? I have activated Wordfence Security, WordPress SEO. My URL is [removed for privacy]
You can scan my blog also, I have other blogs so can I use same whit-list in other blogs? I use same plugins. Should I turn off safe_mode amd disable/turn off open_basedir (Recommended)? How to do that? I am watching tutorial to learn how the plugin works.

[02-Sep-2013 21:23:35 UTC] PHP Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set in /home/xxxxx/domains/xxxxx.com/public_html/wp-content/plugins/bulletproof-security/admin/wizard/wizard.php on line 883
[02-Sep-2013 21:24:48 UTC] PHP Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set in /home/xxxxx/domains/xxxxx.com/public_html/wp-content/plugins/bulletproof-security/admin/wizard/wizard.php on line 883
[05-Sep-2013 11:08:14 UTC] PHP Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set in /home/xxxxx/domains/xxxxx.com/public_html/wp-content/plugins/bulletproof-security/admin/wizard/wizard.php on line 883

Thank you,
Mike

[AITpro Admin]

EDIT/UPDATE: After closer investigation/research this is a very insignificant issue that is resolved by suppressing the php error with this line of code: @curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); with an @ symbol. This will be done in BPS Pro 8.4 for all/any code that use CURLOPT_FOLLOWLOCATION. Setup Wizard, System Info GET Headers Checking tool, cURL Scanner, etc.

“and need also to change default admin login in WP. Can I do that via database, because WP it not allow to do that. What is you sugestion?”

I recommend that you use the Simple Query String Login Protection code here instead:  http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

“Should I turn off safe_mode amd disable/turn off open_basedir (Recommended)?  How to do that?”

That is something you will need to ask your Host about since these php.ini directives may be set at the Server or there could be many different setting possibilities and your Host will be able to assist you with that since this will be unique to ONLY your particular Host Server.

“You can scan my blog also, I have other blogs so can I use same whit-list in other blogs? I use same plugins.”

I scanned website:  djxxxxx.com and this website does NOT have any Plugin scripts that need to be whitelisted in the Plugin Firewall.

“Do i need to white-list all plugins which I am using?”

No, you do not need to whitelist any plugins.

You should not be using safe_mode on your website. safe_mode never worked correctly anyway and it has been deprecated by the PHP folks and is will no longer exist in PHP 4.0.

Warning
This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
http://php.net/manual/en/features.safe-mode.php

open_basedir is another PHP directive that does not really add any additional protection for your website and typically just causes website problems.  I recommend that you turn it Off or disable it.

http://www.php.net/manual/en/ini.core.php#ini.open-basedir

Troubleshooting/Solutions

In any case, since one of these things is breaking the Plugin Firewall part of the Setup Wizard setup – the cURL Scanner for Plugin scripts to whitelist in the Plugin Firewall – then you will need to try using the cURL scanning tool in BPS Pro Pro-Tools to scan your site for plugin scripts that need to be whitelisted in the Plugin Firewall.

If you get the same errors when using the Pro-Tool cURL scanning tool then this means that either:

You will have to disable/turn off open_basedir (Recommended) or ask your Host to allow cURL scanning on your website/Server.  safe_mode should be turned off/disabled since it is deprecated/no longer being used in PHP so I assume the the actual problem is with open_basedir and not actually with safe_mode being turned on/enabled.  If safe_mode is actually turned on/enabled then it needs to be disabled/turned off.

Or you will not be able to use the cURL scanning tools in BPS Pro and will need to watch this video tutorial: http://forum.ait-pro.com/video-tutorials/#security-log-firewall for an alternative method to get plugin scripts from your Security Log and paste them into the Plugin Firewall whitelist text area.

Or we can scan your website remotely for you and send you your Plugin Firewall whitelist rules.  It is recommended though that the safe_mode and open_basedir issues are still looked into.  safe_mode should be disabled/turned off.  If it is not then this is a server configuration mistake that needs to be corrected.  open_basedir is problematic and causes problems and does not add any significant security protection for a website so it is recommended that this is also disabled/turned off.

[mbech]

Before i install Bulletproof on my live site i’ve installed it on my test site. It come out with this error: (i’ve xxxxxx out my domain name). I’ve got the same error 23 times ???  Every time i try this plugin i get errors i’ve hoped it was a easier to install with the 1click feature.

Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set in /home/s/p/ftp_xxxxxxxx/wp-content/plugins/bulletproof-security/admin/wizard/wizard.php on line 867

Best Regards

[AITpro Admin]

@ mbech – your Topic has been merged into this relevant Topic.

See the Troubleshooting/Solutions help section above in the previous Post in this Topic:  http://forum.ait-pro.com/forums/topic/php-warning-curl_setopt-curlopt_followlocation-cannot-be-activated-when-safe_mode-is-enabled-or-an-open_basedir-is-set/#post-9374

[AITpro Admin]

[Topic/Post manually moved/merged to this relevant Topic]
I just noticed the following in my php error log in my wp-admin folder. My open_basedir is set to…Just thought you might like to know.

open_basedir = "/home/user/"

[30-Jan-2014 08:35:07 UTC] PHP Warning: curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when an open_basedir is set in /home/user/public_html/mydomain.com/wp-content/plugins/bulletproof-security/admin/system-info/system-info.php on line 583

[AITpro Admin]

I think what we will do is just suppress this php error in the next BPS Pro version release since this is very insignificant/not important and can be ignored. If you would like to suppress the php error now you can make this code modification in the /bulletproof-security/admin/system-info/system-info.php file. Add and @ symbol to this line of code: @curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); as shown below.

$disabled = explode(',', ini_get('disable_functions'));

if ( extension_loaded('curl') && !in_array('curl_init', $disabled) && !in_array('curl_exec', $disabled) && !in_array('curl_setopt', $disabled) ) {

$url = ( isset($_POST['bpsURL']) ) ? $_POST['bpsURL'] : '';
$useragent = 'BPS Headers Check';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
@curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_FILETIME, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD Request method
$ce = curl_exec($ch);
curl_close($ch);

[Author]

Posts